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DETAILED ACTION 

1 . This office action is in response to applicant's response filed on 12/08/2008. 

2. Claims 1-6, 8-10, 12-14 and 16-21 are pending. 

3. Claims 1 and 19-21 are amended. 

4. Claims 7, 1 1 and 1 5 are canceled. 

5. Applicant's arguments have been fully considered. 

Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
12/08/2008 has been entered. 

Response to Arguments 

1 . Applicant's arguments with respect to claims 1 -6, 8-1 0, 1 2-1 4 and 1 6-21 have 
been considered but are moot in view of the new ground(s) of rejection. 
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Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 1-6, 8-10, 12-14 and 16-21 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Dotan U.S. Patent Number 5,822,517 in views of Ostrovsky et al., 
Patent No.: 5,1 23,045 and of Fielding et al., Pub. No.: US 2004/01 72551 . 

Referring to claims 1 , 19, 20 and 21 , Dotan teaches a system, an article of 
manufacture and a method for detecting hostile software in a computer system 
comprising: 

storing a representation of configuration data associated with an operating 
system for the computer system obtained at a first time [column 4, lines 17-20]; 

comparing the stored representation of the configuration data obtained at the first 
time with a representation of the configuration data associated with the operating 
system for the computer system obtained at a second time, wherein the operating 
system is actively operating at second time [column 4, lines 20-22 and figs. 2A-2B]; 
and if deviation is detected between the stored representation of the configuration data 
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obtained at the first time and the representation of the configuration data obtained at the 
second time, automatically performing at least one remedial measure in response to the 
deviation detected, wherein the operating system continues to operate after the at least 
one remedial measure is performed [column 4, lines 22-56 and figs. 2A-2B]. Dotan 
does not appear to explicitly teach a method, wherein the stored representation of 
configuration data is encoded prior to being stored and the at least one remedial 
measure comprises determining a storage location associated with suspected 
executable code in the computer system and moving suspected executable code to a 
specified storage location for later evaluation. However, Ostrovsky teaches that the 
contents held in the slots of the buffers 21 can be readily observed by adversaries. To 
prevent adversaries from gaining any useful knowledge from such observation, the 
contents of each slot are encrypted prior to being stored in such slots. It is preferred that 
a private key probabilistic encryption method is used, such as presented in S. 
Goldwasser and S. Micali, "Probabilistic Encryption", Journal of Computer and System 
Science, Vol. 28, No. 2, 1984, 270-299. Whenever a value is stored in memory, every 
bit of the value is probabilistically encrypted. Specifically, a seed of the pseudo-random 
function F is stored into the protected CPU, and for every bit b, a new (unused before) 
argument i is picked. The encryption (i, b XOR (i)) is stored. Other encryption 
techniques, however, may be used [col. 7, lines 1-15 and figs. 3-5]. And Fielding 
teaches a process of screening one or more software files to determine any that are 
recognized to have a matching hash signature with a file contained in a database of files 
known to be Virus, Trojan, Worm, or otherwise potentially malicious or suspicious which 
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then can be safely blocked, quarantined and/or deleted. This is accomplished through a 
method and apparatus running on a firewall, network device, mail server, server, 
personal computer, PDA, cell phone or wireless device to compare the hash signature 
of each incoming software file against a regularly updated database of known infected 
file hash signatures. One or more users can be alerted when an infected file is 
identified. If quarantined the file is safely stored until virus software is updated properly 
with later developed virus definitions file(s), which are then used to eradicate or clean 
the infected file(s) or computer systems [abstract]. Dotan, Ostrovsky and Feilding are 
analogous art because they teach software protection. 

At the time of the invention, it would have been obvious to one of ordinary skill in 
the art to modify the method of Dotan to include data is encoded prior to being stored of 
Ostrovsky because given that an adversary only sees encrypted contents, he is 
prevented from knowing the true contents of each slot, including the seeds. Hereinafter, 
it is assumed that all values stored in unprotected memory are already encrypted as 
described above. And One or more users can be alerted when an infected file is 
identified. If quarantined the file is safely stored until virus software is updated properly 
with later developed virus definitions file(s), which are then used to eradicate or clean 
the infected file(s) or computer systems of Fielding because quarantining helps for 
future clean up the virus (see abstract), please see KSR International Co. v. Teleflex 
Inc., 550 U.S-, 82 USPQ2d 1385 (2007) for further interpretation. 
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Referring to claim 2, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the configuration data relates to identification of executable 
code installed in the computer system [column 4, lines 17-20]. 

Referring to claim 3, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the configuration data relates to identification of a command 
line for invoking executable code associated with a particular file extension [column 6, 
lines 4-9]. 

Referring to claim 4, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the configuration data is obtained from a registry maintained 
by the operating system [column 6, lines 1-7 and fig. 1]. 

Referring to claim 5, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the configuration data obtained from at least one key 
associated with the registry [column 6, lines 1-7]. 

Referring to claim 6, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the configuration data is obtained from a file stored in the 
computer system [column 6, lines 1-7]. 
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Referring to claim 8, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the configuration data is compared to a predefined value 
[column 4, lines 65-66, predefined value is corresponding to the state of the program]. 

Referring to claim 9, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the configuration data is checked for addition of data 
[column 6, lines 37-50, fig. 2A and fig. 2B]. 

Referring to claim 10, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the configuration data is checked for removal of data 
[column 4, lines 22-26, an alarm signal inform a user that the data has been modified 
(addition/removal) see fig. 2A and 2B]. 

Referring to claim 12, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the at least one remedial measure comprises determining 
whether suspected executable code is currently executing [column 4, lines 51-56]. 

Referring to claim 13, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the at least one remedial measure further comprises 
terminating execution of the suspected executable code [column 4, lines 57-64, 
restoring the infected program occurs by terminating execution of the suspected 
program]. 
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Referring to claim 14, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the suspected executable code does not receive notification 
prior to being terminated [column 4, lines 51-56, prior to termination, the suspected 
executable program is being under the process of comparing initial state and final state]. 

Referring to claim 16, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the at least one remedial measure comprises altering 
configuration data associated with the operating system to reflect the stored 
representation of the configuration data [column 5, lines 8-14]. 

Referring to claim 17, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the operating system is a Windows-based operating system 
[column 6, lines 9-12]. 

Referring to claim 18, Dotan teaches a method for detecting hostile software in a 
computer system, wherein the operating system is a Linux-based operating system 
[column 6, lines 9-12, MS-DOS is corresponding to Linux-based operating system]. 
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Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to YONAS BAYOU whose telephone number is (571)272- 
7610. The examiner can normally be reached on m-f,7:30-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on 571-272-381 1 . The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Yonas Bayou/ 
Examiner, Art Unit 2434 
03/23/2009 



/ELLEN TRAN/ 

Primary Examiner, Art Unit 2434 



